Starting with this virtual machine that I previously installed Active Directory on, next I am going to setup a simple Certificate Services service. This should usually be installed on a very secure machine in your organization as it will hold all of the private keys and be able to generate the public keys used in your network and possibly used on external services if you so wish.

Start by going to Control Panel, and Add or Remove Programs.

Click Add/Remove Windows Components, check the box next to Certificate Services. A dialog will appear with a warning as per the photo below.

Be sure you read this warning, and click Yes to continue. Then click Next.

Select ‘Enterprise root CA’ and click Next.

You will be asked for the ‘Common name for this CA:’ type in the computers name. In our case from the last walk through this was “default-fm878pv” which I did not change. If you did not change the name to something more meaningful, you can cancel out now and change it.

Click Next. Click Next again to accept the database paths. You will be asked for the Windows 2003 CD now. Insert it and click OK. After the file copy, you may be presented with this.

Click OK.

In this walk through we will enable Web Enrollment. As we might use it later for smart cards and such.

Back at the Add or Remove programs screen, click Add/Remove Windows Components again click ‘Application Server’ but do not check it, then click Details.

Click on ‘Internet Information Services (IIS)’ but do not check it and click Details.

Scroll down and check the box next to ‘World Wide Web Service’ and click OK. Click OK again. Then click Next. If you removed the 2003 CD, you will need it again.

Reboot the server.

Open a Command Prompt and type ‘certutil -vroot’ as shown in the photo below and hit Enter.

Open Internet Explorer on the server, or another workstation on the network, and connect to the server via name or IP address and browse to /certsrv like shown below in the photo.

If you see this, your web enrollment is working.

You can administrate your Certificate Services install, through Administrative Tools.

You can now use EFS with certificates on your Active Directory client machines. You will now want to look up how to issue administrator certificates to decrypt files encrypted by employees or users that you need access to as the network admin and such.

I will try to include as many screen shots as possible, to help those that are learning, or are new to installing Active Directory.

This install was performed on a virtual machine running Windows 2003 R2 Standard. The install will be similar to the install on Windows 2000.

We start off with a fresh install. Close the configure your server wizard. We are going to do this manually.

Assign a static IP address to this server, and then for the machines DNS servers primary, type in it’s own IP address. I did this while installing Windows.

Next we need to give this machine a DNS suffix. Choose the same one that you will name the domain. I’m going to use testdomain.home because this is an example setup, and I choose the .home TLD because it is not valid on the internet and will never conflict with a real domain and cause internal network problems like browsing around websites.

If you were to choose say, yahoo.com for your domain name, your clients would not be able to get to the real yahoo.com because your DNS server will resolve it to your Active Directory server and not to the Yahoo servers.

To do this, right click My Computer from the Start Menu, and choose Properties. Select the Computer Name tab at the top, and then click Change. On the Computer Name Changes dialog, click the More button and type in your suffix and click OK.

Restart the server.

Login to the server and start off by making this a DNS server for Active Directory and clients.

Go to Start Menu, Control Panel, Add/Remove Programs. Click on Add/Remove Windows Components on your left. Scroll down to Networking Services and highlight it, don’t check the box next to it, and click Details. Check the box next to Domain Name System (DNS) and then click OK then click Next. Insert the CD if asked, and click OK.

After the files copy, click Finish and close the Add/Remove Programs window.

Go to Start Menu, Administrative Tools, DNS. Right click on Forward Lookup Zones and choose New Zone. Click Next, choose Primary Zone, click Next. When asked for the Zone Name you must type the same one you did for the Computer Name Suffix in the previous steps.

Click Next and then Next again to accept the filename. When asked for the Dynamic Update, choose ‘Allow both nonsecure and secure dynamic updates’. (We will secure this later). Click Next. Then Finish.

Right click on the Reverse Lookup Zones and choose New Zone. Click Next, then Primary zone, then click Next.

Type in the first portions of your networks IP space and click Next, then Next for the filename, and then click ‘Allow both nonsecure and secure updates’. (We will secure this later). Click Next. Then Finish.

Restart the server.

Open a Command Console and type in ‘nslookup’. You should get something similar to the following:

If you get an error, your DNS server is not working correctly yet, and it has to be working to proceed.

Click Start Menu, Run. Type in ‘dcpromo’ and click OK.

Click Next, Next, and Next again for new domain, Next for new forest. When asked for the Full DNS name type in the same you have been for the above steps.

Click Next after typing your DNS name. It will then test your DNS server. You can change the NetBIOS name or leave default and click Next. Default NTDS paths and click Next. Accept defautl SYSVOL and click Next. Click Next again and then Permissions for 2003 and Higher only and click Next. Choose a password for recovery mode, and click Next. Next again and the process starts.

When it’s all done, click Finish, and Restart.

Click Start Menu, Administrative Tools, DNS. Click and then Right click on your domain under Forward Lookup Zones and choose Properties. To the right of Type click Change. Click the check box, Store the zone in Active Directory click OK and then Yes then change the dynamic updates drop down box to Secure Only and then click OK.

Do the same for the Reverse Lookup Zone. Click and then Right click your network subnet, and click Properties. Change the type to Store in Active Directory. And then dynamic updates to Secure only and click OK.

You now have a domain controller to join clients to. Make sure the clients are using the domain controller as their DNS server.